Israel Privacy Protection Law Cookie Consent Guide: Amendment 13 Compliance for Publishers

Israel's Privacy Protection Law has a long lineage. The original statute dates to 1981, the Privacy Protection Authority — the country's data protection regulator — was established in 2006, and the EU has recognized Israel as an adequate jurisdiction for personal data transfers since 2011, one of only a handful of countries to hold that status. For most of that period the substantive standards were broadly GDPR-aligned but the enforcement architecture was lighter and the technical specifics were less developed. Amendment 13, which took effect in August 2025, changes that. The amendment modernizes the consent standard, expands the rights framework, sharpens cross-border transfer rules, and substantially strengthens the Privacy Protection Authority's enforcement powers. For publishers operating in or targeting Israeli traffic — a market with one of the most digitally engaged populations in the world — the practical effect is that cookie consent and online tracking compliance is now meaningfully closer to the European standard. This guide walks through what changed, what the operating standard is now, and where publishers should focus the remediation work.

The Privacy Protection Law in 2026

The Israeli framework sits on three layers: the Privacy Protection Law itself (the primary statute), the Privacy Protection Regulations (which fill in operational detail, most notably the Data Security Regulations of 2017), and the directives and position papers issued by the Privacy Protection Authority. Amendment 13 modifies the first layer and triggers updates to the second; the third — the Authority's interpretive guidance — has been updated continuously since the amendment took effect.

The core principles will be familiar to anyone working with the GDPR: lawful basis, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. The lawful bases under Israeli law include consent, contract performance, legal obligation, public interest, and legitimate interest, each with its own scope. For online tracking the relevant bases are consent and, in narrow circumstances, legitimate interest — the same framework most operators already know.

What Amendment 13 Actually Changed

The amendment is broader than cookie consent, but four changes matter most for online publishers.

Strengthened consent standard

The amendment tightens the definition of consent to require it be freely given, specific, informed, and unambiguous — language closely tracking GDPR Article 4(11). Implied consent and continued-use-as-consent, which had been ambiguously acceptable under the older interpretation, are now unambiguously insufficient for non-essential tracking.

Expanded data subject rights

Access, correction, deletion, and objection rights are clarified and expanded. The amendment introduces explicit timelines for responses (45 days, extendable by 30 in complex cases) and clarifies the publisher's obligation to provide a clear path for exercising rights.

Sharper cross-border transfer framework

Transfers to non-adequate jurisdictions now require explicit safeguards — model contractual clauses, binding corporate rules, or specific derogations. The framework is closer to the GDPR's Chapter V than the older Israeli approach, and the Authority has begun publishing model clauses similar to the EU SCCs.

Stronger enforcement powers

Administrative fines are increased substantially. The maximum penalty is tied to a percentage of organizational revenue with a high absolute ceiling, similar to the GDPR's tiered structure. The Authority has been given expanded investigative powers including the ability to compel document production and conduct on-site inspections.

Cookie Consent Under the Amended Standard

The Privacy Protection Law does not contain a cookie-specific provision in the way the EU's ePrivacy Directive does. Instead, the consent requirement flows from the general consent standard and from the Authority's interpretive guidance. The 2026 guidance on online tracking, published shortly after Amendment 13 took effect, articulates expectations that align closely with the EDPB Cookie Banner Taskforce criteria.

Required banner elements

The Authority expects banners to include an explicit reject option on the first layer, granular category controls separating strictly necessary cookies from analytics and from marketing, and a clear withdrawal mechanism. Pre-ticked boxes and deceptive link design are explicit defects. The expectation is convergence with European norms and any banner that passes EU scrutiny will satisfy the Authority.

Hebrew language requirement

Banners serving Israeli traffic should be available in Hebrew. The Authority has not formalized this as a strict requirement but has noted in guidance that Hebrew availability is part of the "informed" prong of the consent standard for Hebrew-speaking audiences.

Documentation and accountability

The accountability principle in Israeli law tracks the GDPR's. Publishers must be able to demonstrate consent decisions on demand. Audit-grade logging — timestamp, banner version, choice, visitor jurisdiction — is the practical requirement.

The EU Adequacy Question

Israel's EU adequacy decision is one of the most strategically important features of its privacy regime. The 2011 decision allows personal data to flow from the EU to Israel without additional safeguards, making Israeli operators significantly more attractive partners for European businesses than operators in non-adequate jurisdictions. The Commission's periodic adequacy review process requires Israel's framework to keep pace with European standards. Amendment 13 was, in significant part, motivated by maintaining adequacy through the next review cycle.

For publishers, the practical implication is that compliance with the amended Israeli framework is not just about avoiding domestic enforcement; it is about preserving the country's adequacy status and the privileged access to European data flows that status provides. The Authority's enforcement priorities reflect this — banner-design defects on Israeli sites are taken more seriously by the Authority than the same defects might be in non-adequate jurisdictions because of the systemic adequacy implications.

The Privacy Protection Authority's Enforcement Posture

The Authority operates from within the Ministry of Justice but with substantial operational independence. Its enforcement posture has historically been measured — capacity-building, sector consultation, and targeted high-profile cases rather than high-volume fining — but Amendment 13's expanded toolkit has shifted the pattern noticeably.

Investigation triggers

The Authority opens investigations primarily through three channels: data subject complaints, breach notifications, and sectoral reviews. Online publishers tend to surface through the first channel — a complaint about banner design or tracking behavior often becomes the entry point.

Sanctioning practice

The Authority's post-Amendment-13 fines have followed a pattern: a remediation period offered first, with monetary penalties imposed only when remediation is incomplete or refused. The signal is that good-faith compliance posture matters even when defects are present.

Coordination with EU regulators

The Authority participates actively in the Article 29-style coordination mechanisms that involve adequate jurisdictions. Enforcement positions tend to track EDPB guidance, and cross-border complaints involving EU and Israeli traffic are increasingly handled through coordinated procedures.

A Practical Compliance Checklist

Six concrete questions to answer for any cookie banner serving Israeli traffic.

Where Israel Fits in the Global Picture

Israel's Amendment 13 reflects a broader pattern: jurisdictions that pre-date the GDPR are modernizing their frameworks to maintain alignment with European standards. Japan, the UK, South Korea, and Brazil have all followed similar trajectories. For publishers operating across these markets, the practical implication is that a single CMP infrastructure built to European standards handles most of the regulatory landscape — Israel's framework, post-amendment, is firmly inside that envelope. The strategic value is twofold: domestic compliance plus continued participation in the privileged data-flow relationship with the EU that adequate status provides. The investment in proper banner architecture and consent logging that European compliance already justifies is, in Israel, a more directly defensible investment than in most non-adequate jurisdictions.

← Blog Read All →